parent
2e26a3def6
commit
814ca724ca
@ -1 +1 @@
|
||||
SOURCES/openssl-3.2.1.tar.gz
|
||||
SOURCES/openssl-3.2.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
070a0ae6df5de8536c215046f7e7065fafde6504 SOURCES/openssl-3.2.1.tar.gz
|
||||
b12311372a0277ca0eb218a68a7fd9f5ce66d162 SOURCES/openssl-3.2.2.tar.gz
|
||||
|
@ -1,80 +0,0 @@
|
||||
From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Tue, 27 Feb 2024 15:22:58 +0100
|
||||
Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
|
||||
|
||||
Patch-name: 0118-no-crl-memleak.patch
|
||||
Patch-id: 118
|
||||
Patch-status: |
|
||||
# https://github.com/openssl/openssl/issues/23770
|
||||
---
|
||||
crypto/x509/by_file.c | 2 ++
|
||||
test/recipes/60-test_x509_load_cert_file.t | 3 ++-
|
||||
test/x509_load_cert_file_test.c | 8 +++++++-
|
||||
3 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
|
||||
index 5073c137a2..85923804ac 100644
|
||||
--- a/crypto/x509/by_file.c
|
||||
+++ b/crypto/x509/by_file.c
|
||||
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
|
||||
goto err;
|
||||
}
|
||||
count++;
|
||||
+ X509_CRL_free(x);
|
||||
+ x = NULL;
|
||||
}
|
||||
} else if (type == X509_FILETYPE_ASN1) {
|
||||
x = d2i_X509_CRL_bio(in, NULL);
|
||||
diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
|
||||
index 75aeac362c..e329d7675c 100644
|
||||
--- a/test/recipes/60-test_x509_load_cert_file.t
|
||||
+++ b/test/recipes/60-test_x509_load_cert_file.t
|
||||
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
|
||||
|
||||
plan tests => 1;
|
||||
|
||||
-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
|
||||
+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
|
||||
+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
|
||||
diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
|
||||
index 4a736071ae..c07d329915 100644
|
||||
--- a/test/x509_load_cert_file_test.c
|
||||
+++ b/test/x509_load_cert_file_test.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include "testutil.h"
|
||||
|
||||
static const char *chain;
|
||||
+static const char *crl;
|
||||
|
||||
static int test_load_cert_file(void)
|
||||
{
|
||||
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
|
||||
&& TEST_int_eq(sk_X509_num(certs), 4))
|
||||
ret = 1;
|
||||
|
||||
+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
|
||||
+ ret = 0;
|
||||
+
|
||||
OSSL_STACK_OF_X509_free(certs);
|
||||
X509_STORE_free(store);
|
||||
return ret;
|
||||
}
|
||||
|
||||
-OPT_TEST_DECLARE_USAGE("cert.pem...\n")
|
||||
+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
@@ -45,6 +49,8 @@ int setup_tests(void)
|
||||
if (chain == NULL)
|
||||
return 0;
|
||||
|
||||
+ crl = test_get_argument(1);
|
||||
+
|
||||
ADD_TEST(test_load_cert_file);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,170 +0,0 @@
|
||||
From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Fri, 8 Mar 2024 11:18:12 +0100
|
||||
Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||
|
||||
Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||
Patch-id: 119
|
||||
Patch-status: |
|
||||
# https://github.com/openssl/openssl/issues/22779
|
||||
---
|
||||
ssl/s3_lib.c | 8 ++++----
|
||||
ssl/ssl_lib.c | 2 +-
|
||||
ssl/ssl_local.h | 2 +-
|
||||
ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
|
||||
4 files changed, 40 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||
index e8ec98c221..48a1aa0e61 100644
|
||||
--- a/ssl/s3_lib.c
|
||||
+++ b/ssl/s3_lib.c
|
||||
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
return tls1_set_sigalgs(sc->cert, parg, larg, 0);
|
||||
|
||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||
- return tls1_set_sigalgs_list(sc->cert, parg, 0);
|
||||
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
|
||||
|
||||
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||
return tls1_set_sigalgs(sc->cert, parg, larg, 1);
|
||||
|
||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||
- return tls1_set_sigalgs_list(sc->cert, parg, 1);
|
||||
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
|
||||
|
||||
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
|
||||
{
|
||||
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
|
||||
|
||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||
- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
|
||||
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
|
||||
|
||||
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
|
||||
|
||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||
- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
|
||||
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
|
||||
|
||||
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
||||
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index 1329841aaf..4d95ab71cd 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||
return tls1_set_groups_list(ctx, NULL, NULL, parg);
|
||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||
- return tls1_set_sigalgs_list(NULL, parg, 0);
|
||||
+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
||||
index 0d3acfbe66..a73b2c4770 100644
|
||||
--- a/ssl/ssl_local.h
|
||||
+++ b/ssl/ssl_local.h
|
||||
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
|
||||
|
||||
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
|
||||
|
||||
-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
|
||||
+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
|
||||
__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
|
||||
int client);
|
||||
__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index fe680449c5..87f2ae7000 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
|
||||
|
||||
/* now populate ctx->ssl_cert_info */
|
||||
if (ctx->sigalg_list_len > 0) {
|
||||
+ OPENSSL_free(ctx->ssl_cert_info);
|
||||
ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
|
||||
if (ctx->ssl_cert_info == NULL)
|
||||
return 0;
|
||||
@@ -2889,6 +2890,7 @@ typedef struct {
|
||||
size_t sigalgcnt;
|
||||
/* TLSEXT_SIGALG_XXX values */
|
||||
uint16_t sigalgs[TLS_MAX_SIGALGCNT];
|
||||
+ SSL_CTX *ctx;
|
||||
} sig_cb_st;
|
||||
|
||||
static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||
static int sig_cb(const char *elem, int len, void *arg)
|
||||
{
|
||||
sig_cb_st *sarg = arg;
|
||||
- size_t i;
|
||||
+ size_t i = 0;
|
||||
+ int load_success = 0;
|
||||
const SIGALG_LOOKUP *s;
|
||||
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
* in the table.
|
||||
*/
|
||||
if (p == NULL) {
|
||||
- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||
- i++, s++) {
|
||||
- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||
- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||
- break;
|
||||
- }
|
||||
+ /* Load provider sigalgs */
|
||||
+ if (sarg->ctx) {
|
||||
+ load_success = ssl_load_sigalgs(sarg->ctx);
|
||||
}
|
||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
- /* Ignore unknown algorithms if ignore_unknown */
|
||||
- return ignore_unknown;
|
||||
+ if (load_success) {
|
||||
+ /* Check if a provider supports the sigalg */
|
||||
+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
|
||||
+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
|
||||
+ && strcmp(etmp,
|
||||
+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
|
||||
+ sarg->sigalgs[sarg->sigalgcnt++] =
|
||||
+ sarg->ctx->sigalg_list[i].code_point;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
+ /* Check the built-in sigalgs */
|
||||
+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
|
||||
+ for (i = 0, s = sigalg_lookup_tbl;
|
||||
+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
|
||||
+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||
+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
*p = 0;
|
||||
p++;
|
||||
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
* Set supported signature algorithms based on a colon separated list of the
|
||||
* form sig+hash e.g. RSA+SHA512:DSA+SHA512
|
||||
*/
|
||||
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||
+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
|
||||
{
|
||||
sig_cb_st sig;
|
||||
sig.sigalgcnt = 0;
|
||||
+ sig.ctx = ctx;
|
||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||
return 0;
|
||||
if (sig.sigalgcnt == 0) {
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,33 @@
|
||||
From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 12 Jun 2024 20:14:04 +0900
|
||||
Subject: [PATCH] kdf: Preserve backward compatibility with older providers
|
||||
|
||||
Suggested in:
|
||||
https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293
|
||||
---
|
||||
crypto/evp/pmeth_lib.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index 015f756..e776ea5 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
|
||||
os_params[1] = OSSL_PARAM_construct_end();
|
||||
|
||||
- if (!EVP_PKEY_CTX_get_params(ctx, os_params))
|
||||
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) {
|
||||
+ if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) {
|
||||
+ /* Older provider that doesn't support gettable parameters */
|
||||
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
|
||||
+ }
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
/* Older provider that doesn't support getting this parameter */
|
||||
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
|
||||
--
|
||||
2.45.1
|
||||
|
Loading…
Reference in new issue